The Transaction Broadcast Privacy Problem
THE ISSUE
When your node broadcasts a transaction you created, network observers (e.g. spy nodes with many connections) can use timing analysis and connection fingerprinting to link the transaction back to your IP address.
WHY EXISTING TOR ISN'T ENOUGH
Even if you're connected to some Tor peers, long-lived connections can be fingerprinted and correlated with your clearnet identity. A persistent connection to a Tor peer is still a fixed, identifiable channel that can be attributed over time.
HOW LONG HAS THIS BEEN KNOWN?
This has been a known issue for years, with at least six related GitHub issues dating back to 2014 (issue #3828). That's 12 years of this being an open problem.
The Fix: Short-Lived Anonymous Connections
APPROACH
Broadcast locally submitted transactions (from
sendrawtransaction RPC) to the P2P network only via Tor or I2P short-lived connections, or to IPv4/IPv6 peers but routed through the Tor network.KEY PROPERTY 1
IP concealment — your real IP address is never associated with the transaction broadcast.
KEY PROPERTY 2
Unlinkability — separate short-lived connections for each transaction prevent linking multiple transactions to the same source.
HOW IT DIFFERS FROM EXISTING TOR SUPPORT
Current Tor connections in Bitcoin Core are long-lived — the same circuit is used for many transactions over time. The new approach creates a fresh, disposable connection for each transaction broadcast, then tears it down. No persistent channel to fingerprint.
What This Protects Against
✓ DEFENDED
Spy nodes — entities running many Bitcoin nodes to observe which node first broadcasts a transaction.
ISP-level surveillance — even if your ISP sees you connecting to Tor, they can't see what you're sending.
Cross-transaction linking — each tx uses a different connection, preventing clustering.
ISP-level surveillance — even if your ISP sees you connecting to Tor, they can't see what you're sending.
Cross-transaction linking — each tx uses a different connection, preventing clustering.
✗ NOT DEFENDED
On-chain analysis — this protects the network layer, not the transaction graph. UTXO linkage and amount correlation still work.
Tor-level adversary — a global passive adversary controlling Tor entry/exit nodes could still correlate traffic (but this is a much higher bar).
Tor-level adversary — a global passive adversary controlling Tor entry/exit nodes could still correlate traffic (but this is a much higher bar).
PRACTICAL IMPACT
For most Bitcoin users, the network-layer privacy leak is the easiest and most commonly exploited attack vector. Chain surveillance companies routinely run supernodes to deanonymise broadcasters. This PR raises the cost of that attack significantly.